Microsoft Exchange Multiple Vulnerabilities
Exchange Multiple Internal IP Disclosures -- Advisory: http://foofus.net/?p=758 http://www.securitypentest.com/2014/08/exchange-multiple-internal-ip.html Autodiscover Enumeration Vulnerability -- Advisory: http://foofus.net/?p=793 http://www.securitypentest.com/2014/08/autodiscover-enumeration-vulnerability.html CAS Authentication Timing Attack -- Advisory: http://foofus.net/?p=784 http://www.securitypentest.com/2014/08/cas-authentication-timing-attack.html POC video: http://www.securitypentest.com/2014/08/owa-timing-attack-poc.html Tools -- http://foofus.net/?p=804
[slackware-security] samba (SSA:2014-213-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] samba (SSA:2014-213-01) New samba packages are available for Slackware 14.1 and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/samba-4.1.11-i486-1_slack14.1.txz: Upgraded. This update fixes a remote code execution attack on unauthenticated nmbd NetBIOS name services. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3560 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/samba-4.1.11-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/samba-4.1.11-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-4.1.11-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/samba-4.1.11-x86_64-1.txz MD5 signatures: +-+ Slackware 14.1 package: f9eb404a40088180c93195b679402d8d samba-4.1.11-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 0ea529ae98cfcba0a54e93919eda9ca5 samba-4.1.11-x86_64-1_slack14.1.txz Slackware -current package: bb47fb29b6dcb9a828b1e8dac3e59107 n/samba-4.1.11-i486-1.txz Slackware x86_64 -current package: 587d9963535d8d42236dd61b91d1a0a8 n/samba-4.1.11-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg samba-4.1.11-i486-1_slack14.1.txz Then, if Samba is running restart it: # /etc/rc.d/rc.samba restart +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlPcDP0ACgkQakRjwEAQIjPH7QCeO07BMIO8iUL5/RW9LgAKRIkt R+YAniU6CIkGTjHNUeRDjNZ90RsQbc6E =wVC8 -END PGP SIGNATURE-
[slackware-security] dhcpcd (SSA:2014-213-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] dhcpcd (SSA:2014-213-02) New dhcpcd packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/dhcpcd-6.0.5-i486-3_slack14.1.txz: Rebuilt. This update fixes a security issue where a specially crafted packet received from a malicious DHCP server causes dhcpcd to enter an infinite loop causing a denial of service. Thanks to Tobias Stoeckmann for the bug report. (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/dhcpcd-5.2.12-i486-2_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/dhcpcd-5.2.12-x86_64-2_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/dhcpcd-5.2.12-i486-2_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/dhcpcd-5.2.12-x86_64-2_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/dhcpcd-5.5.6-i486-2_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/dhcpcd-5.5.6-x86_64-2_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/dhcpcd-6.0.5-i486-3_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/dhcpcd-6.0.5-x86_64-3_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dhcpcd-6.0.5-i486-3.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/dhcpcd-6.0.5-x86_64-3.txz MD5 signatures: +-+ Slackware 13.1 package: 7ee61ba111c58bfe6147890bae50846e dhcpcd-5.2.12-i486-2_slack13.1.txz Slackware x86_64 13.1 package: b2976c0bc824c53da33bdeaf5647c99b dhcpcd-5.2.12-x86_64-2_slack13.1.txz Slackware 13.37 package: e8fc381c5c5623c3d591ff06585da7f7 dhcpcd-5.2.12-i486-2_slack13.37.txz Slackware x86_64 13.37 package: fa7f9341a63b2568a78a812dcbe2a220 dhcpcd-5.2.12-x86_64-2_slack13.37.txz Slackware 14.0 package: cb9cb0030a700a664f9634cea787e1a3 dhcpcd-5.5.6-i486-2_slack14.0.txz Slackware x86_64 14.0 package: 830d0d7230297fb9d8e454acc0ff7a1c dhcpcd-5.5.6-x86_64-2_slack14.0.txz Slackware 14.1 package: 0016202a22b11a4741039f302a50a246 dhcpcd-6.0.5-i486-3_slack14.1.txz Slackware x86_64 14.1 package: 1999479013557ec1e3eca33c7c2f3927 dhcpcd-6.0.5-x86_64-3_slack14.1.txz Slackware -current package: 6f7335d0dace5432244dcbfbadce9053 n/dhcpcd-6.0.5-i486-3.txz Slackware x86_64 -current package: 4d0d4e0ae8876022729802e31a30f86c n/dhcpcd-6.0.5-x86_64-3.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg dhcpcd-6.0.5-i486-3_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlPcDP4ACgkQakRjwEAQIjPjkgCggZOFhh5E7dDX9fOtxEpPEwD2 MSMAn07HUeUOrIyG299qZO9YsJxOVv0P =oMBQ -END PGP SIGNATURE-
[SECURITY] [DSA 2995-1] lzo2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2995-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 03, 2014http://www.debian.org/security/faq - - Package: lzo2 CVE ID : CVE-2014-4607 Debian Bug : 752861 Don A. Bailey from Lab Mouse Security discovered an integer overflow flaw in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code. For the stable distribution (wheezy), this problem has been fixed in version 2.06-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 2.08-1. For the unstable distribution (sid), this problem has been fixed in version 2.08-1. We recommend that you upgrade your lzo2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJT3eaoAAoJEAVMuPMTQ89ErsUP/R6kkmg2BGvC0XaK13gGJdNN OIR42pqSegDZANaui9N7gMG8qRNKnyu/5Xsru7YUOwVd38R1i02CF2OLIchPZTCx HJ3Y2wbSUWWrUKdQFv37Y40FT8uBMBKXBnUSHX5NhCpMcVMW2PgHnMay4qTi+4Md ZO4oh/cLZ1cfORAgAO8CJaJZ3k63FmEptl03J7lFyGMwttHZrRI7UWxHJvcna8QY d8Azboy25Z8iFCiNrTVtJNXNGkfI0G5XYNz2ObaL5NEgCYFt1FIFquVwR8brPIn3 GAVRIeVfjPYCMeEPkTkRN8sId9s4gJsDR2JIr2CDTwXlEnF6MLT8uoz5JZ3Nd1yT ebj5gHIKhCVf0YE/nfDInHDX1/SpSUmIeskU31yyMbwRi+qEklm90joCGDvWu2Ze 0aBg0TOJaf47qPr6IhwxkRDlSziDa+Dw43tTqPqXGJVwarYhqcUKm4XVMqASM7zN OZOFX7D2pe4xHZ62fiIwMnDR3efNCpc43wznFywaw1O6spVrOBln+ypQjvfMXVcN bFjs7jJOoH7s5cRXZoc9u5RVM0vU0pBKOGKlIzZ3Z0hoRrX3iilXiAoWIQPW3//O UcsDTmHahsM9OmdgurBuiqOXHaY+IbR1LDEO/piIDsRYoW63QZsms3hxMlNL03D6 j1omhobfnIkUAK5X9HZZ =L4SF -END PGP SIGNATURE-
[SECURITY] [DSA 2996-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2996-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 03, 2014http://www.debian.org/security/faq - - Package: icedove CVE ID : CVE-2014-1544 CVE-2014-1547 CVE-2014-1555 CVE-2014-1556 CVE-2014-1557 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 24.7.0-1~deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJT3fgiAAoJEBDCk7bDfE42Dg0P/1vyzixyj8XZkIgSGMWXdh1U UUyT5RZ3Q/YOYt6Q/6gYv5wRtMPcbun+cuQ3c9h9DQui/9o95KrWQCDlyaTH7eIp r4FEUFzWGgJLTFgRJArljt5j6D/2yZ7PoQ0V3MOrYrLGctRQROtUTMJ+DlDrA5Ce wROQwbbmC1/wtSWe0Tq2RK17UuqYtayGL9MpmfBUirK28qw9m2LbyKFEph0s/z2U bUc8lX9BrntP/SV+Lz5A8MGLePnTnj9BX5uQBLDT8Gwsy/7QkYnP34Su3qOPYd82 2XaHj4/aSqfayUjdvxeD5Mf/Kg6rJFayNClQXpNEoywDUP884uR0pCKdeft3sn87 fFrfjXAfY5WKmU5+n5wUltWfeqlXhMC/5bBBXvrAZiaQmSrV2LAomSvKNsPGgU2A WAoHaivc+kyDpWpw0aNqGiPI16gcn6U9e76k/ykq0D08dWN8ECSTeX0ezVO+2y4i fw5QsGKekeDsB2QVGNBtMZhe/2TZtSIDLJ23hehJnE6B42VhKhLFfxlmfmN0dxDE 5Ms0Xn3ahhSab/hQhOMXKiau1PWDj1y4IPSZYRSLbNlv6MvoiB2r9PynQg7FHwV0 L/GVsxWAksSgJC7XZjdEh87ci4HSqk/JzqtvgqGZQEKbf3rJLg+RrV1c0wr8Jp7Q JXWAufIp14OwX14HQj81 =VVj3 -END PGP SIGNATURE-
ownCloud Unencrypted Private Key Exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Senderek Web Security - Security Advisory ownCloud Unencrypted Private Key Exposure = https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php Revision: 1.00 Last Updated: 3 Aug 2014 Summary: In consequence of an insufficient threat model, ownCloud is storing all user's private RSA keys in clear text in PHP session files. These unencrypted private keys can be accessed by every web application that has the privilege of the web server user. The affected files exposing cryptographic keys will be stored in the PHP session directory for a number of hours until they are removed. This issue was reported to ownCloud via encrypted email on Tue, 11 Mar 2014. I received a reply to this report from the vendor on Wed, 12 Mar 2014. On Tue, 22 July 2014 the vendor confirmed, that they will not address this problem, because the protection of user encrypted files from remote attackers that have read access to the file system with web server privilege is not - and will not be - part of their threat model. Consequently, the vendor does not consider this to be a vulnerability or security issue. Severity: High Affected Software Versions: All versions of ownCloud since the introduction of the encryption module in version 5.0.7 including version 7.0.0. Impact: An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system. Fixes: In addition to the ownCloud encryption module users are advised to encrypt their sensitive files separately with a standard server-side encryption mechanism like GnuPG using a passphrase, that is not stored on the server except while being used in memory. One software solution that extends ownCloud with GnuPG-based server-side encryption can be downloaded here: https://senderek.ie/downloads/release/cloud/wee-owncloud.tar A detailed installation tutorial is available at: https://senderek.ie/wee/cloud/wee-owncloud.php This general web application extension addresses a more comprehensive threat model, that includes the possibility of read-access to web server accessible files on the server. However, it does not protect against malicious actions of server admins, as this cannot be prevented by web applications. Security Advice Policy: Complete information about reporting security vulnerabilities can be found here: https://senderek.ie/responsible.disclosure.policy.php All information in this security advisory is copyrighted because of the time and effort in analysing and documenting the vulnerability described here. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJT3lsOAAoJECyxzx4lRhdKI30QAKrVrr9nFO3+qdX6a0V6sJoy sJUaqTbW9i1EI8IId2Vd1oh5GHJVq6BI9mnO+dTX+Y32B/cct1vfe+7Xfzhl9sGM g0Z3vMsnm2MbEW2AjJTC3CCCHsLt3oSwpsevQaQ2BRZbUgSS1VIYCA6zACLJgzHr oX/ExHXqdZ8Slol4N+3h9q5+DT2VjVgoBdNXWIeq0nd6iYbAlFS9YLECDAnFPtAl OW05Z9m1wkMSxW1NiJPrQRmHn7YY41/SH7lgyIX0+lpi0h2D/LzAvpoVDRQL1j9A aTP3B3xjCW8sQShKd4y8xLKQq2023L8ucy+h6anWbJCliIbK5cnXsjBgIJaGwpQw 9j5a1huKDsaXXEw5bmGpyiKMEhQ48YPBX0eMnGxOmShnRyvmhWiGPNMey9CgwEdR hFZPN+sPC88EjSO+VMheWv4Ts3gDw9g2VmDy30B2Xd3X4yRBSjCLrD0OZbbytNQx HIU7CJWnFKNUFZnQY4sZdxjlQf9wrLjGK7dxSTAY+n5qWH56RJVSO/Bj79i+Y+km JVF3OO4IIO3BXcWwUfiPAmLvAOwedKNmbm23MdqquYsUnpWQYNiumETz/hpD1z/P RCJS1Uc4sjg1mtBxxZqXLjpXm/WjgfOA8uulLdtmcmkqxaGfRdxQkJOsqZPdsje0 fJ2oNHU/Zu5KkROksoN9 =Pg9f -END PGP SIGNATURE-
Video WiFi Transfer 1.01 - Directory Traversal Vulnerability
Document Title: === Video WiFi Transfer 1.01 - Directory Traversal Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1288 Release Date: = 2014-08-02 Vulnerability Laboratory ID (VL-ID): 1288 Common Vulnerability Scoring System: 6.7 Product Service Introduction: === Using this app, you can download videos to a PC or a smartphone from your iPhone through WiFi. The video downloaded can be played back on PC and another smart phones as well as Mac and iPhone because the app converts it into a MP4 video. It only takes a few seconds for the conversion. You would say it is the fastest. Just run the app on the iPhone and open the web browser on your PC or Android. That is all that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to access the videos. Do not pay money for these functions as the app provides all of them without charging. (Copy of the Homepage: https://itunes.apple.com/de/app/video-wifi-transfer-mp4-conversion/id892132370 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a Directory Traversal vulnerability in the official Bluefinger App Video WiFi Transfer/MP4 Conversion v1.01 iOS mobile application. Vulnerability Disclosure Timeline: == 2014-08-01: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): BlueFinger Apps Product: Video WiFi Transfer/MP4 Conversion - iOS Mobile Web Application 1.01 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: A directory traversal web vulnerability has been discovered in the official BlueFinger Apps Video WiFi Transfer v1.01 iOS mobile application. The vulnerability allows remote attackers to bypass the path restriction of a service to access sensitive app-, web-server or -device information. The vulnerability is located in the `ftp` (ftp://localhost:8080) service of the wifi `web-server` module. The issue allows an attacker to bypass the regular `folder/path` validation mechnism to access sensitive app web-server or iOS -device information. The attack vector of the issue is on the application-side of the service and to perform malicious request the `GET method` is required to use. After the start of the web-server by usage of the ftp function, the attacker is able to include 5 more path values (../../../../../) to access unauthorized higher folders outside the mobile application service. In the analysis we saw that the path change of 5 directories is required to bypass. During the tests we accessed the full app service folder and through the directory traversal to web-server configuration files but also the parent device directory. The security risk of the directory traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.7. Exploitation of the path traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the directory traversal vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] Directory Vulnerable Parameter(s): [+] path Affected Module(s): [+] Parent Directory (ftp://localhost:8080/) Note: The structure of the software is the same like in the official BlueFinger Apps `Photo` WiFi Transfer v1.01 iOS mobile application. The same vulnerability is located in both mobile ios software of the bluefinger apps company. Proof of Concept (PoC): === The directory traversal web vulnerability can be exploited by attackers without privileged application user account and user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Exception: 50 /private/var/mobile/Applications/CFCEEF6E-AA35-42D6-84EC-BFB518F764B1/Documents/video/../../etc/passwd No such file or directory. Standard Request: ftp://localhost:8080/../../Documents/ PoC: Links ftp://localhost:8080/../../../../../../../../../../../../../../../../etc ftp://localhost:8080/../../../../../../../../../../../../../../../../usr/ ftp://localhost:8080/../../../../../../../../../../../../../../../../Applications/ ftp://localhost:8080/../../../../../../../../../../../../../../../../System/ Exploit: PoC (PL) #!/usr/bin/perl use LWP::Simple; print ---\n; print -= Photo WiFi
FreeDisk v1.01 iOS - Multiple Web Vulnerabilities
Document Title: === FreeDisk v1.01 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1287 Release Date: = 2014-08-01 Vulnerability Laboratory ID (VL-ID): 1287 Common Vulnerability Scoring System: 7.1 Product Service Introduction: === Transfer files between your iPhone/iPod/iPad and your computers without iTunes! Just start FreeDisk, and your iDevice is automatically turned into a wifi hard drive. You can then connect your iDevice to your computers, and use it as a regular hard drive, and easily transfer files. No need for third part software, or iTunes, to finally exchange files between your iDevices and your computers! FreeDisk can also turn your iDevice into an internet server to share your files with other smartphones (iOS, Android, Windows...) ! Last but not least, all your data are protected and can only be read when the app is running. (Copy of the Homepage: https://itunes.apple.com/us/app/free-disk-turn-your-iphone/id896356251 ) Abstract Advisory Information: == The Vulnerability Laboratory Research team discovered multiple vulnerabilities in the official FreeDisk v1.01 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-08-01: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Sebastien BUET Product: FreeDisk - iOS Mobile Web Application 1.01 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local file include web vulnerability has been discovered in the official FreeDisk v1.01 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `uploadfile` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index `file list` context next to the vulnerable `filename` item value. The attacker is able to inject the local malicious file request by usage of the available `wifi interface` upload form. Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Service(s): [+] FreeDisk v1.01 Vulnerable Module(s): [+] upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] FreeDisk App Index File Dir Listing (http://localhost:8080/) 1.2 An arbitrary file upload web vulnerability has been discovered in the official FreeDisk v1.01 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. The vulnerability is located in the `upload` module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg . gif file extension and can access the application file with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.4. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Request Method(s):
